23 November 2017 | Jack Fisher
We’re not lawyers at Pogo Studio, and we don’t pretend to be. We do however have a responsibility as software developers to understand the laws and regulations in place (and coming into place) that surround the projects we work on. As you’re probably aware, GDPR arrives on May 25th, 2018. There’s a lot to unpack with these regulations, so we’ve spent significant time making sure we are prepared. It’s important that every project we work on, and every project we have worked on in the past, is GDPR compliant come May 25th. Consumer rights deserve to be protected, and we see GDPR as an opportunity to ensure that everything we create is open and fair to the end-user. Let’s check out what we’ll be looking out for.
There are several rights that a user has under GDPR with regards to the collection and handling of their personal data. Personal data is defined as any data that could be used to identify an individual, either on its own or when combined with other information. As well as the obvious, this includes information such as online identifiers, location data, and biometric data. Users have many rights surrounding the processing of their personal data. Some of the rights we are paying close attention to are the right to access the data you have collected about them, the right to erase any data you hold about them, and the right to download their data and take it to another service provider.
Consent is everything under GDPR. Something that will affect many businesses is how their customers give consent to their apps and websites. Under GDPR consent must be actively given. This means it can’t be enabled by default, gone are the days of pre-ticked checkboxes. It must also be unbundled, users cannot be forced to consent to one thing in order to receive another. Finally, consent must be verifiable and documented – as the data holder you must be able to prove who gave consent and how/when they gave it. This means your app or website must be documenting the user consenting and storing the information so that it can be used for evidence if necessary.
Privacy by Design
Privacy by Design (PbD) is not a new concept for software developers. It is currently a design philosophy that some choose to adopt for moral purposes, but will soon become a requirement under GDPR. The core value of PbD is thinking about the consumer's rights throughout the entire build of a project, from the design stage through to the end of the engagement. In practice, this leads to more user-friendly apps and websites. As a digital agency, it’s important for us to ensure we are following the philosophies of PbD with everything that we create. You can read more about PbD here.
Data breaches must be reported within 72 hours, or immediately if the breach contains sensitive information. In the event of a breach, you will be expected to provide documentation that shows your security measures and proves you are following complying with GDPR. There has been a lot of scaremongering around GDPR, with people throwing around figures of fines up to 20 million Euros. Whilst this number is indeed the maximum fine a company can receive for non-compliance, it is very unlikely that it will be given. The reality is that regulators will work with companies to help them fix their problems and get them on track. Fines will only be issued to companies who refuse to cooperate or commit extreme violations.
This has been a very brief overview of GDPR and how it will impact your digital solutions. For more information we recommend you visit the official website for GDPR here.